Removing Failed DC Data From Active Directory

In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment.

These steps are not necessary in a Windows Server 2008 environment as described in this article. In Windows Server 2008 and Windows Server 2008 R2, removing a failed DC computer account from the Active Directory Users and Computers console will automatically cleanup the server metadata.

DCPROMO is the tool provided by Microsoft to promote a server to the domain controller role or demote a domain controller to a member server. It creates the necessary records in AD when promoting and deletes them when demoting. However, if you have a failed DC you cannot gracefully demote from AD, or you try to remove a DC from a domain and fail or promoting a server to DC and fail, you will find this article helpful. The data left over in AD will cause some serious problems. You will continuously get replication errors, you will not be able to setup another DC with the same name... and so on.

What motivated me to write this article is a replication problem I encountered for one of my clients. Let me tell you the story and start then. I was going to setup a test environment for one of my client's System Center Configuration Manager (SCCM) deployment scenario. They have two DCs in their environment, one of which holds the FSMO roles such as PDC Emulator. I converted their production environment to a virtual ESX test environment. I turned on the virtual PDC Emulator and the new virtual server I created for SCCM. Everything went fine until I tried to extend the AD schema. I had an error that the extension cannot continue. I figured out from the replication logs that the schema extend tool was failing because the extended AD schema could not be replicated to the other Domain Controller. Then I realized the mistake I made. I had not converted the second Domain Controller to the ESX test environment! It is just like the scenario where you have a crashed DC and could not be brought back. So, I used the below method to remove that server from the test environment to stop any replication attempts and documented it for future use.

Note that I reproduced the problem in my test environment to write this article. All server names are from my test environment, not my client's environment.

Now let's begin.

Before we begin I must warn you that the wrong usage of NTDSUTIL may cause irreversible damage to your AD and may result in partial or complete loss of AD functionality. The article is written based on my field experience and I do not accept any responsibility for any damage. However, if you have problems regarding this, I will gladly try to help you in EE forums.

Now the metadata is cleaned up, we will also manually delete some objects related to the failed DC.

15. Open Active Directory Sites and Services, expand the site where the failed DC was previously located.

16. Right click the failed DC's server object and click Delete.

17. Open Active Directory Users and Computers. Navigate to the Domain Controllers container.

18. Right click the failed DC's server object and click Delete. You will be prompted if you want to delete the server without running DCPROMO. Select "This domain controller is permanently offline ...." and click Delete.

19. Open the DNS console and delete any CNAME and HOST records for the failed server.

Key to your CPU's ability to stay cool is to use the right amount of thermal paste and apply it correctly. In other words you want as much thermal conductivity between CPU and the cooling block.
Use a quality thermal paste and apply it in a manner…